Go to listing page

Cyware Monthly Threat Intelligence, September 2020

alarm clock, autumn, autumntime, background, blue, calendar, calender, celebration, clock, concept, copy space, creative, date, day, deadline, decoration, design, end, event, fall, festive, flat lay, good bye, greeting card, hello, holiday, hour, layout, lifestyle, limitation, minimal, month, november, october, overhead, period, postcard, red, season, september, table, template, term, time, timeline, timeliness, timer, time, scale, top view

Share Blog Post

The Good
Besides implementing all the key security controls, organizations also need to focus on the human element in cybersecurity. Given this, the NIST has devised a method—Phish Scale—to help organizations analyze why employees fall prey to phishing attacks. Further, a team from Quantum Engineering Technology Labs found a unique method to make messaging secure. The U.S. Federal Energy Regulatory Commission (FERC) and the North American Electricity Reliability Corporation (NERC) outlined the best cybersecurity practices for electric utilities.

  • Researchers at NIST developed a new method called Phish Scale to help organizations avoid getting victimized by phishing attacks. Phish Scale uses a rating system based on the message content in a phishing email.
  • A team of scientists from the QET Labs at the University of Bristol came up with a new technique to secure a multi-user quantum communication network. The technique can make messaging completely safe from interceptions.
  • The U.S. General Services Administration’s 18F digital services unit issued a field guide for federal agencies to help them mitigate cyber risks in their systems. The guide covers various topics related to cyber strategy development, including planning, acquisition, and execution.
  • Additionally, the DHS collaborated with Akamai and the Center for Internet Security on a project called the Malicious Domain Block and Reporting (MDBR) service. Under this initiative, the agency plans to improve the digital security of state and local governments by offering DNS filtering systems for free.
  • The U.S. FERC and NERC and its entities released a report outlining the cyber incident response and recovery best practices for electric utilities. The guidelines include a clear definition of personnel roles and staff about taking action without unnecessary delays.

The Bad
This month witnessed a range of different incidents where organization fell prey to targeted attacks. One of the largest-ever healthcare ransomware attacks struck Universal Health Services, shutting down its IT network across facilities in the U.S. Whereas, Midwest Property Management, Town Sports International, Microsoft Bing, shopping site Windeln.de, and several others exposed millions of records via unsecured servers. In other news, a hacker uploaded hacking techniques, in a PDF doc, on official websites of the WHO and UNESCO.

  • Allegedly, Ryuk actors crippled computer networks of the Fortune 500 healthcare provider, Universal Health Services, locking its computers and phone systems. The attack, which is also touted as one of the largest medical cyberattacks in U.S. history, saw no patient or employee data leak during the attack.
  • French maritime transport and logistics giant, CMA CGM S.A. suffered a cyberattack, shutting down some of its servers at two of its APAC subsidiaries. Reportedly, the company’s Chinese offices were infected with the Ragnar Locker ransomware.
  • Unsecured databases were responsible for data leaks at Midwest Property Management and Town Sports International. While the Midwest Property Management exposed 1.2 million records, the data leak at Town Sports International affected a terabyte of data associated with the company.
  • An unencrypted Elasticsearch server at BrandBQ, a European fashion retailer, laid bare sensitive personal and financial data of about 500,000 shoppers. Most of the database’s entries were activity logs from customer actions on the affected websites, including newsletter registrations, purchases (and related checkout details), and user agreements.
  • Hackers allegedly published data of thousands of Clark County School District students after it was infected with malware on August 27. Some of the files reportedly included employee SSNs, retirement paperwork, student birthdates, addresses, and grades.
  • University Hospital New Jersey (UHNJ) suffered an attack by SunCrypt ransomware. The attackers stole 240GB of data, of which 1.7GB containing 48,000 documents were posted online.
  • Researchers found PDF documents containing tricks for hacking online games and Facebook and Instagram accounts, which were uploaded to the websites of several organizations, including the WHO, UNESCO, the Georgia Institute of Technology, and a Cuban government website.
  • Microsoft exposed one of its backend servers that exposed over 6.5TB of log files containing 13 billion records originating from the Bing search engine via an unsecured Elasticsearch server.
  • The College of the Nurses of Ontario fell victim to a cyberattack, forcing the governing body for nurses to shut down its services. On the contrary, Long Island’s tertiary care center, Regional Trauma Center, and Stony Brook University notified their patients about a data breach due to the Blackbaud ransomware attack.
  • The German shopping giant Windeln.de exposed 882GB data from 70 dating and e-commerce sites due to a misconfigured Elasticsearch database. The leaked data included invoices, full names, IP addresses, phone numbers, email addresses, and home addresses.

New Threats
Numerous new malware and vulnerability threats were also discovered this month. Security experts discovered the new Alien trojan capable of stealing credentials from at least 226 Android applications. Meanwhile, BLE reconnection procedure risked billions of Android and iOS devices vulnerable to the new attack dubbed BLESA. Moreover, the Maze actor was spotted using Ragnar Locker’s evasion techniques.

  • ThreatFabric reported a new strain of Android malware called Alien that can steal credentials from 226 apps including Facebook, Gmail, and Snapchat. This malware is based on the source code of a rival malware gang named Cerberus, a witty trojan that has also integrated remote access features into their codebases.
  • Billions of IoT devices were reported vulnerable to new Bluetooth Low Energy Spoofing Attacks (BLESA) that arise due to a reconnection issue between paired devices. Apple has assigned CVE-2020-9770 for the related vulnerability affecting iOS and iPadOS.
  • Microsoft removed 18 Azure Active Directory applications from its Azure portal that were created and abused by a Chinese state-sponsored hacker group called Gadolinium. These apps were hosted on Active Directory as a part of their command and control infrastructure under a COVID-19-related spearphishing campaign.
  • A new ransomware operation named Mount Locker was found to be active since July 2020, stealing victims’ files before encrypting them and demanding multi-million dollar ransoms. The ransomware uses ChaCha20 and RSA-2048 to encrypt files.
  • The return of Zebrocy and Emotet, in different cyberespionage campaigns, was also reported by researchers and federal agencies. While the Zebrocy campaign leveraged fake NATO documents to target government bodies in specific countries, the Emotet trojan made use of legitimate email threads to evade detection.
  • While conducting an investigation, researchers found that Maze ransomware operators adopted an evasion technique pioneered by Ragnar Locker ransomware. The technique includes deploying payload inside a virtual machine to evade detection.
  • Zeppelin ransomware returned in August with a newly spotted infection routine. The campaign was carried out through a phishing email containing malicious macros. The macros executed About1.vbs trojan downloader, which later downloaded the ransomware onto a victim’s machine.
  • A newly discovered malware gang, named Epic Manchego, used malicious Excel files to bypass security scanners in an attack campaign targeted against companies across the world. The malicious files were distributed via phishing emails.
  • Cybercrime group TeamTNT relied on a legitimate tool, Weave Scope, to gain full control of Docker and Kubernetes platforms. The attackers installed this tool to map the cloud environment of their victim and execute system commands without deploying malicious code on the server.
  • Cisco Talos uncovered a series of email campaigns distributing various malware payloads, such as GoziISFB, ZLoader, SmokeLoader, and AveMaria. These emails included links to malicious documents that were hosted on legitimate file-sharing platforms.


universal health services uhs
alien malware
blesa attack
mount locker ransomware
town sports international
cma cgm

Posted on: October 02, 2020

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.